16 May 2011 modus   » (Apprentice)

modus_operandi writes (via FARK.com):

Clever malware authors have come up with a way to disguise malicious executable files as innocuous data types by writing the file name backwards.

On May 11, analysts at Norman ASA (anti-virus software vendor based in Sweden) published details of the exploit in this report:"The RTLO unicode hole — sequence manipulation as an attack vector".

The trick is accomplished by using Unicode control characters such as 0x202E (right-to-left override) and 0x202B (right-to-left embedding) to reverse the direction of the text in the middle of a filename, and may be used to camouflage filename extensions in email attachments and on the web. Additional information can be found here (PDF) and here.

Although the payload is likely to be targeted at users of Microsoft Windows operating systems (which rely on filename extensions to determine whether a binary is executable) the exploit works on any operating system which handles Unicode correctly. That means Linux and UNIX-based operating systems, including Mac OS X, will also be fooled into displaying a deceptive filename.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!